Plaintext: 15 Years of Pwn2Own

Welcome to Dark Reading in Plaintext, where each day we bring you insights around one topic important to cybersecurity professionals. Subscribe to get this delivered to your inbox!

Pwn2Own Over the Years

Before there were bug bounty programs and bug hunting events, there was Pwn2Own. In our lookback at the last 15 years of Pwn2Own, we trace how a scrappy contest for a select group of security researchers evolved into a premier global event. Companies pay attention to it. Careers have been made as some of the early winners landed security roles based on their skills. Pwn2Own did a lot to change perceptions around bug hunting to make it a legitimate security skill.

The Pwn2Own competition begins today in Vancouver, “and the 15th anniversary of the contest has already seen some amazing research demonstrated,” Dustin Childs, of Trend Micro’s Zero Day Initiative, writes today. Contestants have already successfully compromised Microsoft Teams, Oracle Virtualbox, Windows 11, and Mozilla Firefox. It’s a fun competition, but more importantly, Pwn2Own was one of the first arenas where researchers could collect money for finding bugs.

What to Hack? One of the original reasons for the competition was to show that contrary to popular opinion, Apple devices could be hacked. And Apple devices fell each year, often by way of the Safari web browser. For a while, Google Chrome seemed invulnerable, as the competition had no successful Chrome exploits for a few years. That is no longer the case though, as researchers have demonstrated over the years multiple ways to subvert Chrome’s security defenses.

The competition has evolved over the years, as new tools and platforms have been added. BlackBerry was added to the lineup in 2010, and in 2011, the winning researcher targeted a use-after-free flaw in Webkit to compromise the BlackBerry Torch. Pwn2Own added industrial control systems to its lineup in 2019.

Mobile eventually became its own competition. The second Mobile Pwn2Own in Tokyo offered over $300,000 in prizes. In 2017, researchers were invited to hack iPhone 7, Samsung’s Galaxy S8, and Huawei’s Mate 9 Pro.

The Modern Pwn2Own. In 2012, ZDI revamped the format of the competition, from a race to see who could use the zero-day exploit first, to a three-day competition where contestants would earn points for the exploits they use. “We were trying to get away from the headlines, [such as] ‘Mac Hacked in Three Seconds,’” Aaron Portnoy, then-director of ZDI, said at the time.

Last year’s Pwn2Own had 23 separate entries targeting 10 products in the categories of Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and Enterprise Communications. Zoom and Microsoft Teams was in the newly created Enterprise Communications category.?A pair of Dutch researchers won $200,000 after they chained together three bugs in the Zoom messenger client to gain code execution on the target machine.

A Legitimate Activity. Companies also started paying attention to the competition, such as showing up to watch what the researchers were going to do and releasing massive security updates few days beforehand to close potential vulnerabilities the researchers may be planning to use. Companies also started offering parallel prizes. Google offered an additional $20,000 in 2011 for anyone who compromised Chrome. Google upped that side bounty to $1 million a year later.

In one of the talks at this year’s Black Hat Asia, the researcher talked about how he uncovered new vulnerabilities after looking at reports of Pwn2Own exploits.

Pwn2Own has also spurred some of the earliest discussions around vulnerability and exploit disclosure. ZDI originally acted as a broker, acting as the middle man between the researcher and the vendor to get the vulnerability fixed. And then came one year, when VUPEN refused to compete if they had to reveal the techniques the team used in its exploits. Researchers used to willingly explain their exploit techniques and methods for bypassing security mitigations when disclosing a vulnerability, but that spirit of openness is increasingly becoming rare, ZDI’s Brian Gorenc said back in 2012.

We will dig more into how bug bounties and exploit conversations have changed over the years in tomorrow’s newsletter.

Headlines on Tap

• Attackers found a way around PowerShell and are targeting Microsoft SQL Server.
• CISA wants federal agencies to patch VMware products ASAP or take them offline.
• Attackers are also actively targeting F5 Big IP systems, CISA says.

Subscribe to get the latest headlines delivered to you each morning with Dark Reading Daily.

On That Note

All the talk about vulnerabilities reminded us of a chart from a recent Dark Reading survey:

Some organizations are switching applications due to concerns about security but just as many are not, according to the How Enterprises Are Securing the Application Environment report from Dark Reading. In the 2022 survey, 22% of respondents said their organization moved from one off-the-shelf vendor to another because of application security concerns. What’s more striking is that 40% in 2022 said neither vulnerabilities nor security issues ever caused them to change applications.?